Viruses & Worms CS431 Dick Steflik A Couple of Definitions: • A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. • “a program that replicates by “infecting” other programs, so that they contain a copy of the virus” How • Viral code is attached or “inserted” into the order of execution so that when the legitimate code is run the viral code is also run or run instead of the legitimate code. • May be “tacked” on to the end of an executable file or inserted into unused program space. • Legitimate code must be modified so that the viral code is branched/vectored to. Most viruses: • Do not damage the original program or damage the hardware – May damage data files – “trash” firmware – Mess up boot records • But, some do • For this reason most can be cleaned up with anti-virus software. The Normal Virus works like this: • User call for a legitimate program • The virus code, having inserted itself in the order of execution, executes instead or in addition to the legitimate program. • The virus code terminates and returns control to the legitimate program “In The Wild” • A virus is said to be “in the wild” when it has either escaped or been released from its controlled or development environment to the general population. • For a virus to be considered In the Wild, it must be spreading as a result of normal day-to-day operations on and between the computers of unsuspecting users. The Wildlist • http:wildlist.org is an organizations that maintains a list of “in the wild” viruses • According to wildlist.org: – To be considered “in the wild” a virus must be reported by two or more virus professionals who report to the Wildlist Organization • Must also be accompanied by replicated samples • This strictness insures that Wildlist viruses are definitely out there doing damage. How they work: Basic structure: { look for one or more infectable objects if (none found) exit else infect object } Doesn’t remain in memory, but executes all of the viral code at once then returns control to the infected program Memory Resident Viruses • Virus that installs itself into memory and stays there after the host program terminates so it can infect other programs that come along. • Boot sector infectors work this way Major Components of Viruses • Infection code – This is the part that locates an infectable object (previous snippet) • Payload – Any operation that any other program can do but is usually something meant to be irratating or possibly destructive. • Trigger – Whatever sets it off, time-of-day, program execution by user. [...]... macro virus • Usually spread as an e-mail attachment Script Viruses • Usually refers to VBScript but could be any scripting environment as Unix scell scripts, Hypercard scripts, Javascript • Usually sent as e-mail attachments with doctored up file name as: – Filename .doc. bat to fool user into opening it Memetic Viruses • These are not computer viruses but rather attempts at social engineering or getting... disinfect) File Infectors • File viruses infect executable files • Historically haven’t been very successful at spreading • Fast infectors – try to infect as many other files as possible (instant gratification) • Sparse infectors – only infect a few files at a time (in order to not be conspicuous) • Most really successful file infectors are classified as Worms Multipartite Viruses • Viruses that use more than...Classifications: • • • • • • Boot Sector infectors File infectors Multipartite viruses Macro viruses Scripting viruses Other Boot Sector infectors • Used to be really popular, but with less people using floppy disks are becoming rare • Hard to write so other methods like scripting and macro virues... mailing lists, Usenet newsgroups, and message boards The original hoax started in early December, 1994 It sprang up again in March of 1995 In mid-April, a new version of the hoax that ment Worms • Worms are a subset of viruses • The differ in the the method of attachment; rather than attaching to a file like a virus a worm copies itself across the network without attachment • Infects the environment rather... not be conspicuous) • Most really successful file infectors are classified as Worms Multipartite Viruses • Viruses that use more than one infection mechanism – File and Boot viruses • Becoming more popular with virus writers Macro Viruses • Infect programming environments rather than OSes or files • Almost any application that has it’s own macro programming environment – MS Office (Word, Excel, Access…)... running on mainframes rather than PC's, spreading over a different network, and scripted using REXX rather than VBScript Morris Worm • • The Morris worm or Internet worm was one of the first computer worms distributed via the Internet; it is considered the first worm and was certainly the first to gain significant mainstream media attention It also resulted in the first conviction under the 1986 Computer . infectors are classified as Worms. Multipartite Viruses • Viruses that use more than one infection mechanism – File and Boot viruses • Becoming more popular. attachments with doctored up file name as: – Filename .doc. bat to fool user into opening it Memetic Viruses • These are not computer viruses but rather